Microsoft Patches Two Zero-Day Flaws this Month

Microsoft has patched over 60 vulnerabilities in this month’s security update round including two being actively exploited in the wild.

There are a total of 21 critical CVEs to patch in May, one of which, CVE-2018-8174, is a remote code execution flaw in the Windows VBScript Engine which could allow an attacker to execute arbitrary code.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Hackers could trick users into visiting a compromised site, or one featuring malicious ads, or else attackers could exploit the vulnerability through an embedded ActiveX application, or specially crafted Office documents that host the IE rendering engine.

If an attacker can’t gain privileged access, they could exploit an elevation of privilege bug such as the other CVE being exploited in the wild: CVE-2018-8120, which features in older versions of Windows (Win7, Server 2008, Server 2008 R2).

“This vulnerability allows an attacker who is logged onto a system to run a specially crafted file to gain privileged access to the system,” explained Ivanti director of product management, security, Chris Goettl. “At that point the attacker would have full permissions to install or remove programs, add users, view, change, or delete data.”

There are also two public disclosures this month, meaning there’s enough info out there on how the vulnerabilities work that attackers could create exploits before firms have a chance to update their systems.

CVE-2018-8141 is an information disclosure vulnerability in the Windows Kernel that could allow an attacker to gain additional information to further compromise the system, while CVE-2018-8170 is a Windows Image elevation of privilege flaw. In both cases attackers would need to have logged on or gained locally authenticated access to the system to exploit, according to Goettl.

This month’s releases also contain an out-of-band patch for CVE-2018-8115, affecting the Windows Host Compute Service Shim library, which helps to launch Windows Server containers from providers like Docker.

“A malicious container could allow an attacker to execute arbitrary code on any system installing (or ‘pulling’) the container,” explained Trustwave threat intelligence manager, Karl Sigler. “Microsoft issued an out of band patch for this vulnerability last week, but rolled it up into Patch Tuesday for those that didn't manually install the patch.”